Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
azhunissov
Staff
Staff

Created on ‎11-05-2025 08:59 AM

Article Id 417956

Technical Tip: FortiGate forwards NetBIOS broadcast packets even when NetBIOS forwarding is disabled

Description

This article describes a situation where a FortiGate forwards NetBIOS broadcast packets even though NetBIOS forwarding is disabled on the interface.
Scope FortiGate running FortiOS 7.0.16, 7.2.10, 7.4.4, and later builds.
Solution

When the source IP address of the NetBIOS broadcast belongs to a different subnet than the FortiGate interface, the FortiGate does not recognize the packets as NetBIOS traffic.
Instead, it classifies them as generic UDP broadcast packets.
In this case, the FortiGate ignores the netbios-forward setting and, if allow-traffic-redirect is enabled in the global settings, it may still forward these broadcasts.

 

Example configuration:

 

config system interface
    edit "port1"
        set netbios-forward disable
    next
end

 

Example output:

 

FG6H0F-3 # get system status | grep build
Version: FortiGate-600F v7.4.8,build2795,250523 (GA.M)
First GA patch build date: 230509

FG6H0F-3 # show system interface port1
config system interface
edit "port1"
set vdom "root"
set ip 172.27.140.51 255.255.255.0 
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 3
next
end

FG6H0F-3 # get system global | grep redir
admin-https-redirect: enable
allow-traffic-redirect: enable
ipv6-allow-traffic-redirect: enable

FG6H0F-3 # diagnose packet sniffer any 'host 172.27.40.220' 4 0 a
2025-10-23 10:19:11.718055 port1 in 172.27.40.220.137 -> 172.27.40.255.137: udp 30
2025-10-23 10:19:11.718063 port1 out 172.27.40.220.137 -> 172.27.40.255.137: udp 30
2025-10-23 10:19:12.718375 port1 in 172.27.40.220.137 -> 172.27.40.255.137: udp 30
2025-10-23 10:19:12.718382 port1 out 172.27.40.220.137 -> 172.27.40.255.137: udp 30

 

As shown above, even though the netbios-forward is disabled, the NetBIOS UDP broadcast packets are forwarded out of the same interface because the traffic is redirected under allow-traffic-redirect.

 

Behavior by FortiOS version:

FortiOS 7.0.16 / 7.2.10 / 7.4.4 and later:
FortiGate may forward NetBIOS broadcasts when allow-traffic-redirect is enabled and the source IP is from a different subnet.

Earlier FortiOS versions:
When the source IP address is on a different network than the FortiGate interface performing traffic redirection, the traffic must match an IPv4 policy regardless of the allow-traffic-redirect setting.

 

Workaround:

Disable traffic redirection globally:

 

config system global
    set allow-traffic-redirect disable
end

 

This issue is known and is planned to be fixed in FortiOS 7.4.10, 7.6.5, and 8.0.0. 

 

Related article:

Technical Tip: Traffic handled by FortiGate for packets with ingress & egress as same interface
142
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.